Vexels data breach
Categories

Vexels Data Breach Exposes Customer PII, Subscription Details, and Payment Data on the Dark Web

The Vexels data breach has sparked serious concern across the design and creative industries after a hacker listed a large customer database for sale on a dark web forum. The compromised data reportedly includes full personal information, subscription details, and partial payment information from users of Vexels (vexels.com), one of the most popular global graphic design platforms used by freelancers, agencies, and businesses.

According to dark web intelligence sources, the attacker is offering the stolen database through a private sale on Telegram, advertising that it contains thousands of customer records verified with live samples. The seller is believed to be operating from Eastern Europe and has conducted similar leaks of subscription-based platforms in the past. The sale appears to be a “one-time purchase” to ensure exclusivity for the buyer, making this data particularly dangerous since it is likely to be used for targeted attacks rather than public resale.

Background

Vexels is a global design resource platform headquartered in Uruguay that offers a wide range of design tools, stock assets, and on-demand merch creation for professional creators and businesses. Its customer base spans over 100 countries, including the United States, the European Union, and Latin America. Vexels operates a subscription-based model, storing user account information, billing details, and creative project data within its internal systems.

The breach allegedly affects both active and former subscribers, with the stolen database containing the following fields:

  • Full PII: Names, email addresses, and phone numbers.
  • Subscription Data: Account plan type (e.g., Free, Pro, or Business), start and renewal dates, and subscription status.
  • Payment Information: Partial credit card details (card type, last four digits), billing addresses, and payment method tokens.
  • Authentication Data: Hashed or possibly plaintext passwords for login credentials.

Experts warn that this data represents a “complete profile” that allows cybercriminals to impersonate users, conduct financial scams, and take over accounts on other platforms. The breach poses an immediate financial risk due to the detailed subscription and payment context contained in the leak.

Key Cybersecurity Insights

1. Subscription Payment Scam Risk

The most immediate consequence of the Vexels data breach is the likelihood of large-scale phishing campaigns that exploit leaked customer data. Because the database includes real user names, plan types, and partial payment information, attackers can easily craft messages that appear to come from Vexels’ billing department or support team.

Example of a phishing scam: “Hello [Victim Name], your payment for the Vexels [Subscription Plan] failed on your Visa card ending in [Last 4 Digits]. To prevent service suspension, please update your payment information at [phishing link].”

This approach combines multiple authentic data points to create panic and trust. Recipients are far more likely to enter full credit card details on a fraudulent page. Such scams can result in direct financial loss within hours of the leak’s exposure.

2. Credential Stuffing and Account Takeover Threat

The leak reportedly includes password hashes for user accounts, and in some cases, passwords may have been stored in weak or reversible formats. Once released, these credentials will be targeted by automated tools like Hashcat to quickly crack them. Cybercriminals will then attempt credential stuffing attacks, using the same credentials across other design, e-commerce, or financial platforms.

Design professionals often reuse passwords across tools such as Adobe Creative Cloud, Canva, Figma, or Envato. Once compromised, attackers can access valuable intellectual property, design templates, and even stored payment details in connected accounts.

3. Identity Theft and Invoice Fraud

With access to detailed personal and billing information, attackers can impersonate legitimate freelancers or businesses to conduct invoice fraud. They can contact clients pretending to be designers or agencies who use Vexels and send fake invoices referencing actual subscription data. This method of fraud has become increasingly common as attackers exploit data from creative and SaaS platforms to deceive business partners and customers alike.

Because Vexels users often operate as freelancers or small agencies, they are prime targets for such scams. Attackers may also attempt social engineering against payment processors or domain registrars by impersonating verified business owners using data leaked from this breach.

4. Legal and Regulatory Consequences

The Vexels data breach has far-reaching legal implications under multiple privacy frameworks. While the company is headquartered in Uruguay, it actively markets to users in the European Union and the United States, making it subject to several major data protection laws:

  • GDPR (General Data Protection Regulation): Requires companies that process EU citizens’ personal data to notify supervisory authorities within 72 hours of discovering a breach and inform affected users without undue delay.
  • CCPA (California Consumer Privacy Act): Covers U.S. users’ right to know what personal data is collected and how it is used. If California-based users are affected, Vexels may be liable for fines under U.S. jurisdiction.
  • Law 18.331 (Uruguay Data Protection Law): Requires notification to the Unidad Reguladora y de Control de Datos Personales (URCDP) for any compromise of user information stored within Uruguay’s borders.

Failure to comply with these regulations can result in significant fines. Under GDPR alone, penalties can reach up to 4 percent of a company’s annual global revenue. Beyond financial costs, the reputational damage from such a public breach can devastate trust in a platform heavily reliant on subscriptions and creative professionals.

Technical Analysis

Preliminary analysis suggests the breach likely stemmed from either an insecure API endpoint or a misconfigured cloud storage environment. Security researchers observed similarities between this incident and prior leaks affecting other SaaS companies, where attackers exploited publicly exposed backup archives or weakly secured databases.

Some indicators point toward an SQL injection vulnerability in a legacy version of the Vexels backend, which could have allowed attackers to extract database records in bulk. The presence of detailed subscription metadata and payment card fragments suggests deep access to the platform’s customer management system rather than a single credential dump.

Investigators also noted that sample data shared by the threat actor included timestamps consistent with recent account activity, indicating that the breach occurred within the past two months and may still be ongoing. The possibility of an insider leak cannot be ruled out, given the targeted structure of the stolen data.

Mitigation Strategies

For Vexels (The Company)

  • Engage a DFIR Team Immediately: Launch a full forensic investigation to identify the attack vector, assess data exposure, and ensure all compromised systems are isolated and secured.
  • Force Password Reset and Invalidate Sessions: Require all users to reset their passwords and terminate active login sessions to prevent further unauthorized access.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all accounts to protect users from future credential-based attacks.
  • Report to Regulators: Notify the appropriate data protection authorities within 72 hours of discovery, including the EU DPA and Uruguay’s URCDP.
  • Public Communication: Issue an official statement confirming the breach, advising customers on phishing awareness, and providing updates through verified channels only.
  • Review and Harden Infrastructure: Conduct an in-depth security audit of APIs, cloud services, and database configurations. Implement network segmentation and intrusion detection systems.

For Affected Users (Victims)

  • Change Reused Passwords: Immediately update passwords on Vexels and any other platforms where the same credentials may have been used.
  • Monitor Financial Accounts: Regularly review your bank and credit card statements for unauthorized charges or suspicious activity.
  • Beware of Subscription Scams: Be cautious of any email or text message claiming your Vexels payment failed. Never click embedded links. Instead, visit vexels.com directly to verify your account status.
  • Use Trusted Security Software: Scan your system for malware and phishing payloads using reliable cybersecurity software such as Malwarebytes.
  • Enable Alerts: Set up transaction alerts with your bank and credit card provider to detect fraudulent charges quickly.

Industry and Consumer Impact

The Vexels data breach highlights a growing trend in cybercrime targeting SaaS and design-oriented platforms that store creative assets and billing information. These services often balance ease of use with cloud integration, creating opportunities for threat actors to exploit overlooked vulnerabilities.

For small businesses, freelancers, and marketing agencies, a compromised Vexels account could lead to data theft, design piracy, and the loss of sensitive client information. Competitors or cybercriminals may resell stolen creative assets or use leaked project data for fraud or extortion.

From a regulatory standpoint, this breach will likely trigger new scrutiny on subscription-based digital platforms and their payment data handling practices. Similar incidents involving Canva and Envato have already led to widespread demands for stronger data encryption, faster breach disclosure, and enforced multi-factor authentication for users worldwide.

Long-Term Consequences

Even after passwords are reset and systems patched, the aftermath of the Vexels data breach will linger. Leaked customer records will circulate indefinitely on underground forums, giving cybercriminals a continuous source of verified user data for new scams. Compromised information such as partial payment data, billing details, and subscription metadata can be reused in future phishing or identity theft schemes.

For Vexels, rebuilding user trust will require complete transparency, ongoing updates, and demonstrable security improvements. The platform’s reputation among creative professionals and B2B partners will depend heavily on how quickly it responds and how openly it communicates the results of its investigation.

For ongoing coverage of confirmed data breaches and expert analysis of the latest cybersecurity incidents, visit Botcrawl.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.